b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n          NATIONAL INSTITUTE OF\n     STANDARDS AND TECHNOLOGY\n\n             Additional Improvements Needed\n            To Strengthen NIST\xe2\x80\x99s Information\n                            Security Program\n\n\n   Final Inspection Report No. OSE-15078/September 2002\n\n\n\n\n                            PUBLIC\n                            RELEASE\n\n\n\n                         Office of Systems Evaluation\n\n\x0cU.S. Department of Commerce                                                             Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                                                September 2002\n\n\n                                                         CONTENTS \n\n\nEXECUTIVE SUMMARY ................................................................................................. i \n\n\nINTRODUCTION .............................................................................................................. 1 \n\n\nBACKGROUND ................................................................................................................ 3 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY............................................................ 5 \n\n\nFINDINGS AND RECOMMENDATIONS....................................................................... 7 \n\n\nI.    NIST Is Taking Steps To Improve Its Information Security Program ........................ 7\n\n\nII. Information Security Policy and Procedures Are Missing Key Control Elements ..... 8 \n\n    A. NIST Lacks A Comprehensive Security Program Policy ..................................... 8 \n\n    B. Draft Certification and Accreditation Procedures Should Be Strengthened ......... 9\n\n\nIII.\t Management Controls Are Not Fully Implemented and Schedules Are Unrealistic \n\n      For Achieving Adequate Product Content and Quality............................................. 10 \n\n      A. Risk Assessments Have Not Been Completed .................................................... 10 \n\n      B. Systems Are Operational with Only Draft Security Plans in Effect ................... 11 \n\n      C. Systems Are Not Accredited ............................................................................... 11 \n\n      D. Deadlines for Security Plans and Accreditations Are Unrealistic....................... 12 \n\n      E. System Inventory May Not Reflect Actual Number of Operational Systems .... 14\n\n\nIV. Security Controls Are Not Extended to External Collaborators and Researchers..... 15\n\n\nV. \t Risk Levels for Positions Have Not Been Properly Assigned................................... 16\n\n\nVI.\t NIST Has Not Implemented a Capital Asset Planning Process................................. 17\n\n\nVII. Proactive Attention from NIST Senior Management Could Improve Information \n\n     Security ...................................................................................................................... 19\n\n\nATTACHMENT\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa624\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                             September 2002\n\n\n                                    EXECUTIVE SUMMARY \n\n\nInformation technology is critical to NIST\xe2\x80\x99s mission. Much of NIST\xe2\x80\x99s research and other\nwork depends on computer models, computer data, and other electronic information.\nWith this increasing reliance on computing technologies, including the use of the Internet\nand its related information dissemination techniques, the potential for loss, compromise,\nand misuse of NIST data and systems grows daily.\n\nThe objective of our evaluation was to determine whether NIST\xe2\x80\x99s information security\nprogram for unclassified systems complies with the Government Information Security\nReform Act (GISRA), which mandates that federal agencies have effective security for\nthe information resources supporting their operations and assets. Using NIST\xe2\x80\x99s Security\nSelf-Assessment Guide for Information Technology Systems, as recommended by OMB,\nwe evaluated NIST\xe2\x80\x99s information security policies and procedures, roles and\nresponsibilities, and adherence to applicable laws, regulations, and guidance.\n\nWe found that NIST is taking steps to improve information security such as increasing its\ncomputer security staff, developing issue specific security policies, and implementing a\nformal computer security incident reporting and handling process. Yet many important\nsecurity requirements have not been met. Our evaluation found the following issues:\n\n\xe2\x80\xa2 \t NIST lacks a comprehensive information security program policy. Its current policy\n    does not address critical roles and responsibilities and management control elements,\n    such as risk management, review of security controls, and certification and\n    accreditation1 that are required by GISRA. (See page 8.)\n\n\xe2\x80\xa2 \t NIST\xe2\x80\x99s policy assigns responsibility for authorizing system operations (also called\n    accreditation) to the CIO, but not to the senior official whose mission the system\n    supports. The CIO and the appropriate senior official should be co-accrediting\n    officials. (See page 9.)\n\n\xe2\x80\xa2 \t None of NIST\xe2\x80\x99s 109 identified operational systems has a documented risk assessment\n    or an approved security plan. Moreover all but two lack accreditation. (See pages 10\n    and 11.)\n\n\xe2\x80\xa2 \t NIST has established a schedule to complete its risk assessments, security plans, and\n    accreditations. We are concerned however, that the schedule may be too ambitious to\n    permit sufficient analysis, documentation, and review. (See page 12.)\n\n\xe2\x80\xa2 \t NIST\xe2\x80\x99s Sensitive Information Technology System Inventory did not include at least\n    three operational systems from one laboratory, suggesting that there may be\n\n\n1\n Certification is the formal testing of the security safeguards implemented in a computer system to\ndetermine whether they meet applicable requirements and specifications. Accreditation is the formal\nauthorization by management for system operation, including an explicit acceptance of risk.\n\n\n\n                                                    i\n\x0cU.S. Department of Commerce                                  Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                     September 2002\n\n\n   additional systems at NIST that have not been identified and should be included in\n   that inventory. (See page 14.)\n\n\xe2\x80\xa2 \t NIST does not ensure that external researchers and collaborators who have no further\n    need for system user accounts are removed from NIST computer systems in a timely\n    manner, thus leaving its systems vulnerable to unauthorized access. (See page 15.)\n\n\xe2\x80\xa2 \t Risk designations assigned to some positions are inconsistent with their levels of\n    responsibility and trust. Employees filling these positions have not received the\n    appropriate level of background investigation, thus increasing the potential for an\n    individual in a position of public trust to potentially cause harm to the efficiency and\n    integrity of NIST programs and operations. (See page 16.)\n\n\xe2\x80\xa2 \t NIST does not have a process in place for effectively planning and controlling\n    information technology investments across the organization and therefore lacks a\n    means of ensuring that information security requirements and costs are appropriately\n    addressed in capital asset planning. (See page 17.)\n\n\xe2\x80\xa2 \t NIST does not have a CIO; its CIO office resides in the Information Technology\n    Laboratory (ITL) and reports to ITL\xe2\x80\x99s acting director, who also serves as the acting\n    CIO. We believe that an empowered CIO\xe2\x80\x94that is, one that has the support of the\n    NIST director and sufficient resources\xe2\x80\x94is essential for improving NIST\xe2\x80\x99s\n    information security program, as well as its management of its IT resources in\n    general. (See page 20.)\n\nSince the completion of our fieldwork, the director of NIST has taken important steps\ntoward improving information security by issuing a memorandum acknowledging his\nresponsibility for the security of NIST\xe2\x80\x99s data and IT systems and directing all members of\nNIST\xe2\x80\x99s upper management to give information security high priority and ensure that the\nagency\xe2\x80\x99s policies, procedures, and operational environment are exemplary. (See page\n20.)\n\nWe made numerous recommendations for improving information security (see pages 10,\n14, 16, 17, 19, and 21).\n                                      \xe2\x80\xa6\n\nNIST\xe2\x80\x99s response to our draft report stated that it generally agreed with our findings and\nrecommendations and described actions being taken or planned. Following each set of\nrecommendations, we have included a brief synopsis of NIST\xe2\x80\x99s response and, where\nappropriate, our comments.\n\nAlthough the response indicates that the schedule for accreditation has been extended, we\nremain concerned that it still does not allow enough time to adequately complete all\nneeded analysis, documentation, and testing. We discuss NIST\xe2\x80\x99s response and our\nconcerns regarding this matter on page 14. NIST\xe2\x80\x99s response to our draft report is\nincluded in its entirety as the attachment.\n\n\n                                              ii\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                           September 2002\n\n\n                                       INTRODUCTION \n\n\nAutomated teller machines, atomic clocks, mammograms, and semiconductors are among\nthe innumerable products and services that rely in some way on the work of the National\nInstitute of Standards and Technology (NIST). NIST's mission is to develop and promote\nmeasurements, standards, and technology to enhance productivity, facilitate trade, and\nimprove the quality of life. Most of NIST\xe2\x80\x99s work is done at two locations\xe2\x88\x92Gaithersburg,\nMaryland, and Boulder, Colorado. The agency has a staff of more than 3,000 full time\nscientists, engineers, technicians, and support personnel, plus 1,600 visiting researchers\nand 2,000 collaborators at affiliated centers around the country and overseas.\n\nAn ever-increasing amount of NIST\xe2\x80\x99s work depends on computer models, computer data,\nand other electronic information. With NIST\xe2\x80\x99s increasing reliance on computing\ntechnologies, including the use of the Internet and its related information dissemination\ntechniques, the potential for loss, compromise, and misuse of NIST data and facilities has\ngrown tremendously.\n\nThe Government Information Security Reform Act (GISRA), Title X, subtitle G, of the\n2001 Defense Authorization Act (P.L. 106-398) was signed into law on October 30,\n2000. This law contains a subchapter on information security that primarily addresses\nmanaging, implementing, overseeing, and ensuring the security of unclassified and\nnational security information systems.\n\nUnder GISRA, information security is the responsibility of federal agency senior\nmanagement\xe2\x80\x94the agency head, senior line managers, and the chief information officer\n(CIO). Other senior officials are responsible for assessing security risks associated with\noperations and assets for the programs and systems they control. Each agency head is\ncharged with ensuring the security of information and information systems through\npromotion of security as an integral component of that agency\xe2\x80\x99s business operations.\nEach head is also charged with ensuring that an information security plan to safeguard the\nprivacy, confidentiality, and security of federal information is carried out throughout the\nlife cycle of each system. In turn, the Secretary of Commerce has charged all\ndepartmental operating unit heads with these same responsibilities for their organizations,\ndirecting them to give information security high priority, sufficient resources, and their\npersonal attention.1\n\nThe department CIO is required to administer the information security program agency\nwide. This entails developing the security program, ensuring that the program is\neffectively implemented and maintained, training and overseeing personnel with\nsignificant responsibilities for information security, and assisting other senior agency\nofficials with their information security responsibilities.\n\nGISRA also requires all federal agencies to perform annual reviews of their security\nprograms and the Office of Inspector General (OIG) for each agency to conduct\n1\n  Memorandum from Donald Evans to Secretarial Officers and Heads of Operating Units, \xe2\x80\x9cHigh Priority to\nInformation Technology (IT) Security,\xe2\x80\x9d July 27, 2001.\n\n\n                                                  1\n\x0cU.S. Department of Commerce                              Final Inspection Report OSE-15078\nOffice Of Inspector General                                                 September 2002\n\nindependent evaluations of agency information security programs. As part of our work\nunder GISRA, this report presents our evaluation of NIST\xe2\x80\x99s agencywide information\nsecurity policies and procedures.\n\nOur evaluation was conducted in accordance with the Quality Standards for Inspections\nissued by the President\xe2\x80\x99s Council on Integrity and Efficiency and was performed under\nthe authority of the Inspector General Act of 1978, as amended, and Department\nOrganization Order 10-13, dated May 22, 1980, as amended.\n\n\n\n\n                                           2\n\x0cU.S. Department of Commerce                                  Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                     September 2002\n\n\n                                    BACKGROUND\nFounded in 1901, NIST is a non-regulatory federal agency within the Department of\nCommerce. The agency carries out its mission through four cooperative programs:\n\n       \xe2\x80\xa2\t   NIST Measurement and Standards Laboratories \xe2\x80\x93 Eight laboratories\n            employing physical and engineering scientists who provide leadership for\n            vital components of the technology infrastructure needed by U.S. industry to\n            continually improve its products and services.\n\n       \xe2\x80\xa2\t   Advanced Technology Program \xe2\x80\x93 A competitive program that provides cost\n            sharing awards to industry for development of high-risk technologies with\n            broad economic potential, such as computer hardware, computer systems, and\n            software applications.\n\n       \xe2\x80\xa2\t   Manufacturing Extension Partnership \xe2\x80\x93 A nationwide network of local\n            centers offering technical and business assistance to smaller manufacturers.\n\n       \xe2\x80\xa2\t   Malcolm Baldrige National Quality Award \xe2\x80\x93 A highly visible, quality\n            outreach program that recognizes business performance excellence and\n            achievement by U.S. manufacturers, service companies, educational\n            organizations, and health care providers.\n\nNIST\xe2\x80\x99s Allocation of Information Security Responsibilities\n\nResponsibility for information security is distributed among NIST\xe2\x80\x99s operating units\n(Figure 1). Key roles and responsibilities are described here and in Appendix A.\n\nAccording to Chapter 11 of NIST\xe2\x80\x99s Administrative Manual, the director of the\nInformation Technology Laboratory (ITL), with the approval of the NIST deputy\ndirector, appoints the NIST computer security officer. The computer security officer\ndevelops and implements the computer security program.\n\nUnit directors are required to appoint a security officer to implement the security program\nwithin their units. According to NIST, these responsibilities are generally considered\ncollateral duties.\n\n\n\n\n                                             3\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-15078\nOffice Of Inspector General                                                            September 2002\n\n                           Figure 1.      NIST Organization Chart\n\n\n                  Director Boulder         Director's            Baldrige National\n                    Laboratories            Office               Quality Program\n\n\n\n\n      Director for                                          Advanced                    Manufacturing\n   Administration &              Technology\n                                  Services                 Technology                     Extension\n Chief Financial Officer                                    Program                      Partnership\n\n\n\n       Manufacturing          Chemical Science          Materials Science            Electronics and\n        Engineering           and Technology            and Engineering           Electrical Engineering\n        Laboratory              Laboratory                Laboratory                   Laboratory\n\n\n\n\n                           Information                                      Building and Fire\n                                                   Physics\n                           Technology                                           Research\n                                                  Laboratory\n                           Laboratory                                         Laboratory\n\n\n\n\n                                                 4\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                           September 2002\n\n\n                     OBJECTIVES, SCOPE, AND METHODOLOGY \n\n\nThe objective of our evaluation was to determine whether NIST\xe2\x80\x99s information security\nprogram for unclassified systems complies with GISRA, which seeks to achieve effective\nsecurity for information resources supporting federal operations and assets. Our\nevaluation covered NIST\xe2\x80\x99s information security policies and procedures as well as their\nattendant roles and responsibilities, and adherence to applicable laws, regulations, and\nguidance.\n\nTo satisfy the objective, we reviewed NIST\xe2\x80\x99s information security policies and\nprocedures, NIST\xe2\x80\x99s self-assessments of information systems and security controls that\ncomprised its fiscal year 2001 GISRA submission, and its Corrective Plan of Action and\nMilestones.\n\nIn addition, we interviewed the acting CIO and directors, deputy directors, and\ninformation security officers of the Advanced Technology Program and of the\nManufacturing Engineering, Information Technology, and Physics laboratories. We also\ninterviewed the director of Human Resources, the NIST computer security officer, and\nmembers of NIST\xe2\x80\x99s budget staff.\n\nWe used as criteria OMB Circular A-130,2 Appendix III, Security of Federal Automated\nInformation Resources; NIST\xe2\x80\x99s Security Self-Assessment Guide3 (control areas listed in\nTable 1); the Computer Security Act of 1987; and GISRA.\n\nTable 1. NIST Security Control Areas\n\n    Management Controls               Operational Controls                     Technical Controls\n\xe2\x80\xa2    Risk Management             \xe2\x80\xa2    Personnel Security                   \xe2\x80\xa2    Identification and\n\xe2\x80\xa2    Review of Security          \xe2\x80\xa2    Physical Security                         Authentication\n     Controls                    \xe2\x80\xa2    Production, Input/Output             \xe2\x80\xa2    Logical Access Controls\n\xe2\x80\xa2    Life Cycle                       Controls                             \xe2\x80\xa2    Audit Trails\n\xe2\x80\xa2    Certification and           \xe2\x80\xa2    Contingency Planning\n     Accreditation               \xe2\x80\xa2    Hardware and System Software\n\xe2\x80\xa2    System Security Plan             Maintenance\n                                 \xe2\x80\xa2    Data Integrity\n                                 \xe2\x80\xa2    Documentation\n                                 \xe2\x80\xa2    Security Awareness, Training,\n                                      and Education\n                                 \xe2\x80\xa2    Incident Response Capability\n\n\n2\n Office of Management and Budget. 1996. Circular No. A-130: Management of Federal Information\nResources. Washington, D.C.: Office of Management and Budget Executive Office.\n3\n National Institute of Standards and Technology. 2001. Security Self-Assessment Guide for Information\nTechnology Systems, NIST Special Publication 800-26. Gaithersburg, MD: National Institute of Standards\nand Technology.\n\n\n\n                                                   5\n\x0cU.S. Department of Commerce                                Final Inspection Report OSE-15078\nOffice Of Inspector General                                                   September 2002\n\nOur fieldwork was conducted from March through May 2002. We held an exit\nconference on July 19, 2002, with the NIST deputy director, acting CIO, computer\nsecurity officer, and members of their staff. NIST officials generally agreed with our\nfindings and recommendations.\n\n\n\n\n                                            6\n\x0cU.S. Department of Commerce                                  Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                     September 2002\n\n\n                       FINDINGS AND RECOMMENDATIONS\n\nI.     NIST Is Taking Steps To Improve Its Information Security Program\n\nOMB Circular A-130 and GISRA require that federal agencies develop, implement, and\nadminister agency wide information security programs that include policies, procedures,\nand controls that afford security protections commensurate with the risk and magnitude\nof harm. GISRA further requires that agencies:\n\n       \xe2\x80\xa2\t   ensure that information security plans are in effect throughout the life cycle of\n            the system,\n       \xe2\x80\xa2\t   establish appropriate levels of security,\n       \xe2\x80\xa2\t   periodically test and evaluate security controls,\n       \xe2\x80\xa2\t   designate a security official who reports to the CIO,\n       \xe2\x80\xa2\t   train personnel with information security responsibilities,\n       \xe2\x80\xa2\t   provide security awareness training, and\n       \xe2\x80\xa2\t   establish procedures for detecting and responding to computer incidents.\n\nOur evaluation found that NIST has taken several steps to make its information security\nprogram more effective and bring it into compliance with current departmental and\nfederal IT security policies. For example:\n\n       \xe2\x80\xa2\t   In FY01, NIST increased its computer security staff from one full-time staff\n            member to four to better assist operating units with improving their security\n            posture and compliance with policies, develop formal security awareness and\n            training programs, and address security issues resulting from the rapid\n            expansion in NIST\xe2\x80\x99s use of information technology.\n\n       \xe2\x80\xa2\t   NIST also developed and published issue-specific information security\n            policies, procedures, and guidance that address current and relevant concerns,\n            such as, the computer intrusion response team operating policy, incident\n            reporting procedures, the undesirable e-mail policy, the firewall policy, the\n            information technology resources access policy, and communications, security\n            planning, and telecommuting policies.\n\n       \xe2\x80\xa2\t   The NIST information security officer developed and posted to the security\n            web site a system security plan template, guidance, and a list of frequently\n            asked questions to assist unit computer security officers in developing their\n            system security plans. Also posted to the security web site were templates for\n            the NIST SP 800-26 self-assessment questionnaire and a contingency plan\n            based on NIST SP 800-34.\n\n       \xe2\x80\xa2\t   NIST hired a contractor to support, throughout FY02, completion of risk\n            assessment activities that involves development of a comprehensive risk\n            assessment methodology, a broad-based risk assessment, a focused risk\n\n\n\n\n                                              7\n\x0cU.S. Department of Commerce                                 Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                    September 2002\n\n\n             assessment for four identified critical systems, and preparation of the FY02\n             GISRA report.\n\n        \xe2\x80\xa2\t   NIST developed and implemented a formal information security awareness\n             and training program. All new employees, as part of their orientation, are\n             briefed by the IT Security Office on the NIST Information Security Program,\n             proper use of NIST's information resources, and procedures for reporting\n             computer incidents. (In April 2002, NIST held its first \xe2\x80\x9cAnnual Computer\n             Security Day\xe2\x80\x9d at the Gaithersburg and Boulder campuses, in an effort to\n             initiate periodic refresher training. The one-day event included guest\n             speakers, updates on various computer security efforts, information on NIST\n             Computer Security Division services, and information on vendor products.)\n\n        \xe2\x80\xa2\t   NIST also established and implemented a formal and documented information\n             security incident reporting and handling process consistent with OMB\n             Circular A-130 and GISRA requirements. As part of this effort, NIST fielded\n             an intrusion detection system (IDS). Data from the IDS and firewalls are\n             transmitted to the incident response team for review and analysis and\n             electronically transmitted to the General Services Administration\xe2\x80\x99s Federal\n             Computer Incident Response Center (FedCIRC) for analysis.\n\nII. \t   Information Security Policy and Procedures Are Missing Key Control\n        Elements\n\nWhile NIST is taking steps to improve its information security program, its security\nprogram policy is missing critical elements, and certification and accreditation\nprocedures need to be strengthened.\n\nA.\t     NIST Lacks A Comprehensive Security Program Policy\n\nAn effective information security program requires clear direction from senior\nmanagement. Senior management must assign security responsibilities to organizational\nelements and individuals and must formulate the security policies that become the\nfoundation for the organization\xe2\x80\x99s security program. These policies must be based on an\nunderstanding of the organization\xe2\x80\x99s mission priorities and the assets and business\noperations necessary to fulfill them. They are also the primary mechanism by which\nmanagement communicates its views and requirements and establishes cost-effective\norganizational and system security controls.\n\nChapter 11 of NIST\xe2\x80\x99s Administrative Manual establishes the foundation for NIST\xe2\x80\x99s\nsecurity program and its use by the operating units. It specifies policies regarding the\nsecurity of computing resources and assigns roles and responsibilities for information\nsecurity to organizational elements.\n\nWe found, however, that the manual is missing critical information security control\nelements required by GISRA. Specifically, the policy does not assign responsibilities to\nthe director of NIST and to the CIO for developing, implementing, and maintaining an\n\n\n                                              8\n\x0cU.S. Department of Commerce                                  Final Inspection Report OSE-15078\nOffice Of Inspector General                                                     September 2002\n\nagencywide security program. The policy also lacks key controls, including risk\nmanagement, review of security controls, life cycle management, certification and\naccreditation, and contingency planning. As discussed in this report, improvements are\nneeded to better implement these controls.\n\nEstablishment of a comprehensive information program that includes a security\nmanagement structure and a documented up-to-date security plan or policy is required for\nthe protection of sensitive data and resources. Protecting mission critical data is essential\nto the success of NIST\xe2\x80\x99s information security program.\n\nOn its computer security web site, NIST has posted a document titled \xe2\x80\x9cRecommended\nNIST Computer Security Procedures,\xe2\x80\x9d but it contains policies, not procedures. We were\ntold the document was so titled because of the difficulty getting a policy document\napproved; it was reportedly easier to circulate this document under the guise of\n\xe2\x80\x9cprocedures.\xe2\x80\x9d Consequently, there is confusion because required baseline security\npolicies are stated as \xe2\x80\x9crecommended\xe2\x80\x9d procedures, which by definition, do not have the\nsame impact as required policy. Incorporating the appropriate sections of this document\ninto NIST\xe2\x80\x99s security program policy would reduce confusion and provide users with a\nsingle, comprehensive policy statement.\n\nB.     Draft Certification and Accreditation Procedures Should Be Strengthened\n\nOMB Circular A-130 requires senior management officials whose mission could be\nadversely affected by security weaknesses to formally authorize the use of a system\nbefore it becomes operational. This authorization, also referred to as accreditation,\ndenotes that the manager understands and accepts responsibility for risks associated with\nputting the system into operation. Authorization is based on a certification, the formal\nassessment of the management, operational, and technical controls. The security plan\ndocuments the system\xe2\x80\x99s protection requirements and security controls currently in effect.\nThe certification along with the security plan forms the basis for management's decision\nto authorize processing. A system should be reauthorized following any significant\nchange or every three years at minimum, more often where risk and potential magnitude\nof harm are high.\n\nNIST\xe2\x80\x99s policy assigns the role of authorizing official to the CIO but not to the manager\nwhose mission the system supports. The rationale is that the CIO is responsible for\nNIST\xe2\x80\x99s technology infrastructure, and because most systems are tied to that\ninfrastructure, vulnerabilities in one system would leave the entire network vulnerable.\nFor those interconnected systems, NIST should designate the senior management official\nand the CIO co-accrediting officials since the mission of both managers could be\nadversely affected by information system security weaknesses. For standalone systems,\nthe senior mission manager can be the single accrediting official.\n\n\n\n\n                                              9\n\x0cU.S. Department of Commerce                                    Final Inspection Report OSE-15078\nOffice Of Inspector General                                                       September 2002\n\nRecommendations\n\nWe recommend that the director of NIST ensure that NIST managers take the following\nactions to achieve compliance with GISRA and other applicable laws, regulations and\nguidance:\n\n1. \t Update and expand Chapter 11 of the Administrative Manual to provide a\n     comprehensive information security program policy:\n\n         a. \t Ensure that all roles and responsibilities for information security, including\n              those of the director and CIO, are explicitly identified and documented and\n              consistent with GISRA requirements.\n\n         b. \t Review the security document, \xe2\x80\x9cRecommended Computer Security\n              Procedures,\xe2\x80\x9d for incorporation of appropriate sections into Chapter 11 as\n              policy, and supplement it with additional policy and procedures as needed.\n\n2. \t Revise policy on accreditation to designate as accrediting or co-accrediting officials\n     those senior officials whose mission could be adversely affected by information\n     system security weaknesses.\n\nSynopsis of NIST\xe2\x80\x99s Response\n\nThe response stated that a revision to Chapter 11.02 of the NIST Administration Manual,\nwhich expands the information security policy, has been drafted and is being reviewed by\nmanagement. A modification to the certification and accreditation policy has also been\ndrafted making operating unit directors and the NIST CIO co-accrediting officials. The\nresponse noted that this policy change will not be implemented until FY03; in FY02,\nsystems will be accredited only by the operating unit directors.\n\nIII. \t   Management Controls Are Not Fully Implemented and Schedules Are\n         Unrealistic For Achieving Adequate Product Content and Quality\n\nSenior management officials are responsible for controlling risks within their information\nsystems. Management controls include risk management, review of security controls, life\ncycle management, certification and accreditation, and system security plans. At NIST,\nrisk assessments have not been completed, security plans have not been finalized, and the\nmajority of its systems are operating under interim authority (that is, they have not been\naccredited). Schedules for completing these tasks are too aggressive to provide the\nintended degree of assurance.\n\nA. \t     Risk Assessments Have Not Been Completed\n\nGISRA requires program officials to determine and assess risks to the operations and\nassets they control. OMB Circular A-130 no longer requires agencies to prepare formal\nrisk analyses but does require them to use a risk-based approach to determine adequate\n\n\n\n                                               10\n\x0cU.S. Department of Commerce                                  Final Inspection Report OSE-15078\nOffice Of Inspector General                                                     September 2002\n\nsecurity. This means security must be commensurate with the risk and magnitude of\npotential harm resulting from the loss, misuse, or unauthorized access to or modification\nof information. Risk assessments should incorporate (1) the value of the system or\napplication, (2) the possible costs of enacted threats or exploited vulnerabilities, and (3)\nthe effectiveness of current or proposed safeguards. Assessing risk to a system is an\nongoing necessity, ensuring that new threats and vulnerabilities are identified so\nappropriate security measures can be implemented.\n\nAlthough we found that none of NIST\xe2\x80\x99s 109 identified operational systems have\ndocumented risk assessments, in March 2002 during our evaluation, NIST awarded a\ncontract to develop a comprehensive risk assessment methodology and conduct a broad-\nbased risk assessment and a focused risk assessment for four critical systems. Once\ndeveloped, the risk assessment methodology will be used by unit security officers to\ncomplete their individual risk assessments. NIST expected the methodology to be\ncompleted on June 30, 2002, and required the remaining risk assessments be completed\nby July 26, 2002. As of July 2, 2002, the methodology was received and distributed to\nseveral operating units for feedback. However, at the time of our exit conference on July\n19, the assessment methodology had not been distributed to all operating units for use.\n\nB.     Systems Are Operational with Only Draft Security Plans in Effect\n\nSecurity plans provide an overview of the system\xe2\x80\x99s security requirements and describe\nthe methods used to assess the nature and level of risk to the system. These plans are\nbased on an analysis of the major factors in risk management: the value of the system or\napplication, threats, vulnerabilities, and the effectiveness of current or proposed\nsafeguards. At NIST, the unit security officer, who represents the business area that will\nuse the system, works with the system owner to prepare and maintain the plan. The\nComputer Security Act of 1987 requires that security plans be reviewed annually and\nrevised as needed to ensure that security controls can handle significant changes to the\nsystem as well as rapidly changing threats.\n\nAll of NIST\xe2\x80\x99s inventoried systems have draft security plans. Between March and April\n2002, the NIST security officer informed all system owners of the schedule requiring\nfinal security plans for all systems to be completed by July 26, 2002.\n\nC.     Systems Are Not Accredited\n\nOMB Circular A-130 requires management officials to formally authorize, based on an\nassessment of the management, operational, and technical controls, the use of a system\nbefore it becomes operational. This accreditation denotes that the manager understands\nand accepts responsibility for risks associated with putting the system into operation. The\nsecurity plan establishes and documents system protection requirements and security\ncontrols in place, and thus forms the basis for management\xe2\x80\x99s decision to authorize\nprocessing.\n\n\n\n\n                                             11\n\x0cU.S. Department of Commerce                                  Final Inspection Report OSE-15078\nOffice Of Inspector General                                                     September 2002\n\nWe found that with the exception of two systems, all of NIST's operational systems are\noperating without accreditation. Although these systems have been granted interim\nauthority to operate, the lack of accreditation indicates that management has neither\nformally reviewed the controls nor explicitly accepted the associated risk, and therefore\nthere is no assurance that NIST\xe2\x80\x99s operational systems are adequately protected. NIST is\nrequiring that all documentation needed to support accreditation be submitted to the\ninformation security officer by August 15, 2002.\n\nD.     Deadlines for Security Plans and Accreditations Are Unrealistic\n\nRequirements for security plans and accreditations are not new. For example, the\nComputer Security Act, passed in January 1988, mandated federal agencies to establish,\nwithin one year, a plan for the security of each of its computer systems and to revise the\nplan annually if necessary. However, many federal agencies, including NIST, have not\nfully implemented these requirements. As a result of GISRA and oversight by OMB and\nthe Department, they are now under intense pressure to do so. Therefore, the Department\nhas established a deadline for completion and approval of all security plans by the end of\nSeptember 2002. In response, NIST is requiring all final security plans by July 26; it also\nhas established a deadline for accreditation packages by August 15 and completion of\naccreditation by August 30.\n\nTo meet these deadlines, NIST posted guidance to units on its web site that established\nmilestones for final system security plans, completed certifications, and submission of\naccreditation packages for its 109 identified operational systems as described in Figure 2.\nWe believe that these milestones do not allow enough time for quality processes and\nproducts. Furthermore, although NIST received a risk assessment methodology from its\ncontractor on July 2, at the time of our exit conference (July 19), the methodology had\nstill not been distributed to all units so that they could conduct their risk assessments. As\nall the future dates depend on the risk assessments having been done by July 26, this\ndelay has ramifications for all subsequent dates. Given this schedule slippage, we are\nconcerned that the current schedule will not allow sufficient time for the remaining work\nin this area.\n\nWe concur that these important activities need to be completed as soon as possible, but\nare concerned about the quality of the plans and certifications that will result from this\naggressive schedule. Given the delay, the proposed schedule appears to place an\nunreasonable burden on the information security staff, which needs sufficient time to\nensure the appropriate product content and quality for the security plan and accreditation\npackage submissions before they are approved. NIST needs to ensure that its security\nplans and certifications and accreditation are of sufficient quality to impart the intended\ndegree of assurance.\n\n\n\n\n                                             12\n\x0cU.S. Department of Commerce                                          Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                             September 2002\n\n\n\n\n\nFigure 2.       Timeline for Information Security Activities\n\n\n\n\n      Contract awarded to develop risk assessment methodology\n\n\n                             Risk assessment methodology received by ISSO July 2, 2000\n\n\n                                              Due for all 109 identified systems:\n                                                Risk Assessments\n                                                Security plans\n                                                Contingency plans\n\n                                                                         Accreditation\n                                                                         Packages Due          Accreditations Completed\n\n\n\n\n     3/30/02              6/30/02              7/26/02               8/15/02                9/01/02\n\n\n\n\n        Milestone accomplished\n\n\n\n        Milestone not met\n\n\n        Milestone in jeopardy for appropriate content and quality\n\n\n\n\n\n                                                  13\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-15078\nOffice Of Inspector General                                                          September 2002\n\nE.      System Inventory May Not Reflect Actual Number of Operational Systems\n\nDuring our evaluation we identified three Advanced Technology Program operational\nsystems (electronic submission system, electronic proposal review, and proposal\nmanagement system) that were not included in NIST\xe2\x80\x99s Sensitive Information Technology\nSystem inventory. The inventory is used to identify and track status of information of all\nsystems subject to security controls (risk assessments, security plans, and accreditation).\nOur concern is that there may be additional systems at NIST that have not been identified\nand need to be added to the inventory. If systems are omitted from the inventory, they\nmay not receive the attention needed to ensure that their security is effectively managed.\nGuidance on determining how to identify systems subject to security controls is contained\nin the security planning\xe2\x80\x99s \xe2\x80\x9cfrequently asked questions\xe2\x80\x9d section on NIST\xe2\x80\x99s intranet and is\nlimited to a definition from NIST SP 800-18, Guide for Developing Security Plans for\nInformation Technology Systems.4 NIST should expand on the key aspects of the\nguidance contained in NIST SP 800-18 and ensure that it is readily available to the units\nand applied appropriately.\n\nRecommendations\n\nWe recommend that the director of NIST ensure that NIST managers take the following\nactions:\n\n1. \t Develop a schedule that allows sufficient time for completing and approving risk\n     assessments, security plans, and accreditations to enable staff to provide adequate\n     product content and results that impart the intended degree of assurance.\n\n2. \t Accredit all operational systems and update accreditations for all operational systems\n     every three years, at a minimum, or whenever a significant change in the system\n     occurs.\n\n3. \t Extract key aspects of the guidance contained in NIST SP 800-18 on how to identify\n     systems subject to security controls and ensure that it is readily available to the units\n     and applied appropriately.\n\n4. \t Review system inventory to ensure that all systems, particularly those subject to\n     security controls, are included.\n\nSynopsis of NIST\xe2\x80\x99s Response\n\nThe response indicated that the risk assessment methodology was delivered to NIST\xe2\x80\x99s\noperating units on July 22, and the deadline for completing system accreditation was\nextended to September 30. It further stated that in FY03, NIST\xe2\x80\x99s IT security officer will\n\n\n4\n  National Institutes of Standards and Technology. 1998. Guide for Developing Security Plans for\nInformation Technology Systems. Gaithersburg, MD: National Institutes of Standards and Technology.\n\n\n\n                                                  14\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-15078\nOffice Of Inspector General                                                         September 2002\n\nconduct an independent review of certified and accredited systems and make\nrecommendations to the NIST CIO.\n\nNIST\xe2\x80\x99s response also noted that system owners were provided with additional guidance\non system boundaries and directed to reassess the system inventory. The reassessment\nresulted in an inventory of 109 operational systems.\n\nOIG Comments\n\nGiven the complexity and importance of the activities required to accomplish\ncertification and accreditation, including testing the security controls to ensure that they\nperform as intended, we remain concerned that even with the schedule extension, there is\nnot enough time to adequately complete all of the requisite activities and documentation.\nWe believe that the accreditations should be considered provisional until there is\nconfirmation that each system has all needed security controls and that these controls\nhave been tested to ensure they perform as intended.\n\nThe previous inventory had 130 operational systems. The revised number (109) is\nreflected throughout our final report.\n\nIV. \t   Security Controls Are Not Extended to External Collaborators and\n        Researchers\n\nDuring our review, we found problems with NIST\xe2\x80\x99s management of user accounts for\nexternal collaborators (researchers who do not reside at NIST\xe2\x80\x99s Gaithersburg or Boulder\ncampus) left NIST\xe2\x80\x99s systems vulnerable to unauthorized access. Under the current\nprocess, system administrators and unit information security officers who are responsible\nfor maintaining access to NIST resources are not always informed when external\ncollaborators no longer need access to NIST resources. Often they find out months or\neven years later that a person no longer requires access and that the account should have\nbeen closed. This situation was documented in Manufacturing Engineering Laboratory\xe2\x80\x99s\nsystem security plan as an operational controls weakness. A similar issue was noted in\nthe Department\xe2\x80\x99s Consolidated Financial Statements FY 2001,5 where it was reported\nthat NIST needed to implement procedures to ensure that departing employees\xe2\x80\x99 system\nuser accounts are removed from computer systems in a timely manner\n\nNIST is currently addressing this issue for its own employees and researchers, working\non each campus. NIST is also developing systems to track employees and resident guest\nresearchers; however, these systems do not address collaborators and researchers who are\nnot on NIST campuses but who use NIST computing resources.\n\n\n\n5\n U.S. Department of Commerce. 2002. Improvements Needed in the General Controls Associated with the\nDepartment\xe2\x80\x99s Financial Management Systems, Consolidated Financial Statements FY 2001. Washington,\nD.C.: U.S. Department of Commerce.\n\n\n\n                                                15\n\x0cU.S. Department of Commerce                                                Final Inspection Report OSE-15078\nOffice Of Inspector General                                                                   September 2002\n\nRecommendation\n\nWe recommend that the director of NIST ensure that NIST managers verify that systems\nadministrators and information security officers are promptly notified when external\nresearchers and collaborators no longer need access to NIST resources.\n\nSynopsis of NIST\xe2\x80\x99s Response\n\nThe response noted that in FY01, NIST began developing a system for tracking guest\nresearchers who have a NIST badge and that the system will be expanded to include\ntracking of all guest researchers and external collaborators.\n\nV.          Risk Levels for Positions Have Not Been Properly Assigned\n\nNIST has numerous positions that involve policymaking, major program responsibility,\nand other duties demanding a significant degree of public trust. These types of positions\nare normally designated as high- or moderate-risk positions. Agency heads are required\nto designate every competitive service position within the agency at a high-, moderate-,\nor low-risk level as determined by the position\xe2\x80\x99s potential for adversely affecting the\nefficiency and integrity of government programs and operations.6 These designations are\nimportant because they determine the depth of background investigation required.\n\nWe reviewed risk level designations for positions held by employees of the Advanced\nTechnology Program and the Mechanical Engineering, Information Technology, and\nPhysics laboratories. With the exception of ITL, all had positions with risk designations\nthat were inconsistent with their levels of responsibility and trust. For example, system\nadministrators and information security officers\xe2\x80\x94whose work responsibilities directly\naffect government programs and operations\xe2\x80\x94were designated as low risk; thus\nemployees filling these positions had not received the level of background investigation\ncommensurate with the risk level of their responsibilities. The ITL managers, however,\nhad already reviewed employees\xe2\x80\x99 position designations, assigned appropriate risk levels,\nand submitted paperwork to conduct the appropriate background investigation required\nby their new proposed designation.\n\nIn a previous effort to identify the criteria used Department-wide to determine\nappropriate risk levels and their associated background investigations, we noted a lack of\nguidance from the Department\xe2\x80\x99s Office of Human Resources Management (OHRM) and\nthe Office of Security (OSY). We addressed this issue in our report, Program for\nDesignating Positions According to Their Risk and Sensitivity Needs to Be Updated and\nStrengthened, Final Inspection Report No. OSE-14486/September 2001, which includes\nrecommendations that the Department provide to operating units, updated guidance for\ndetermining appropriate risk levels and their associated background investigations. Both\nOSY and OHRM agreed to provide updated guidance based on OPM regulation and\nguidance and ensure that roles and responsibilities of heads of operating units,\n\n6\n    Positions designated as low risk are not considered \xe2\x80\x9cpublic trust\xe2\x80\x9d positions.\n\n\n\n                                                         16\n\x0cU.S. Department of Commerce                                                 Final Inspection Report OSE-15078\nOffice Of Inspector General                                                                    September 2002\n\nsubordinate managers and supervisors, servicing personnel officers, and security officers\nare clearly stated. Thus, NIST needs to ensure that its efforts to review and appropriately\nadjust the risk levels associated with sensitive positions are consistent with the\nDepartment\xe2\x80\x99s forthcoming guidance.\n\nRecommendation\n\nWe recommend that the director of NIST take the necessary actions to ensure that NIST\nmanagers work with the Department\xe2\x80\x99s Office of Human Resources and Office of Security\nto verify that all current positions are properly designated according to risk and that\nappropriate background investigations are conducted for all NIST staff.\n\nSynopsis of NIST\xe2\x80\x99s Response\n\nThe response stated that the director will issue a memorandum to NIST operating units\ndirecting that all personnel who hold system administrator privileges to access any NIST\nserver must have an ADP risk level of either moderate or high.\n\nOIG Comments\n\nThis action will only partially address our recommendation. In addition to system\nadministrator positions, NIST has numerous positions that involve policymaking, major\nprogram responsibility, and other duties that demand a significant degree of public trust.\nThese types of positions are normally designated as high- or moderate-risk. All positions\nshould be reviewed to determine whether they are properly designated according to risk.\n\nVI.      NIST Has Not Implemented a Capital Asset Planning Process\n\nThe 1996 Clinger-Cohen Act attempted to address longstanding problems and eliminate\nfailures in the federal government\xe2\x80\x99s acquisition and use of IT by calling for agencies to\nestablish a capital planning and investment control process\xe2\x80\x94applicable to all IT capital\nassets7\xe2\x80\x94to help ensure that appropriate IT projects are funded and well managed and that\nplanning, budgeting, acquisition, and management of IT resources are integrated. In\nresponse, Commerce established an IT capital planning and investment control process at\nthe Department level for projects requiring special attention8 and required each operating\nunit to implement a process of its own.\n\n\n7\n  OMB Circular A-11 defines an IT capital asset as IT that is used by the federal government and has an\nestimated useful life of two years or more. Capital assets do not include items acquired for resale in the\nordinary course of operations or items that are acquired for physical consumption, such as operating\nmaterials and supplies.\n\n8\n  Projects that merit special attention are (1) Department-wide or interagency systems; (2) those with\npolitical sensitivity, mission criticality, or risk potential; (3) those with life cycle costs higher that $25\nmillion; or (4) those experiencing difficulties.\n\n\n\n\n                                                        17\n\x0cU.S. Department of Commerce                                            Final Inspection Report OSE-15078\nOffice Of Inspector General                                                               September 2002\n\nGISRA and OMB policy note that information security must be a component of the\nsystem\xe2\x80\x99s architecture and implemented and managed throughout the system\xe2\x80\x99s life cycle.\nThus agencies are required to identify and budget for security measures and resources\nneeded to protect their IT investments throughout the investment\xe2\x80\x99s life cycle. OMB\nCircular A-11,9 stipulates that each agency\xe2\x80\x99s annual budget request, in Exhibit 53,\n\xe2\x80\x9cAgency IT Investment Portfolio,\xe2\x80\x9d must include security costs for its IT projects as a\npercentage of the total system cost or project investment. Also, a capital asset plan\n(Exhibit 300) must be provided for each major IT project;10 it must indicate whether the\nproject\xe2\x80\x99s information security meets GISRA requirements and describe the security and\nprivacy measures to be used.\n\nDespite these objectives and requirements, NIST does not have an IT capital planning\nand investment control process. As a consequence, it lacks a mechanism to ensure that\ninformation security is properly planned and budgeted. Its life cycle management manual\nfor IT, which addresses capital investment planning, is in draft and has not been\nimplemented; and its IT Policy Council, which is to perform oversight of the process, has\nnot begun to do so.11 An official in the NIST CIO\xe2\x80\x99s office told us that this process will\nbe prototyped in ITL prior to NIST-wide implementation, but no date has been scheduled\nfor finalizing and implementing the process.\n\nIn its budget guidance for FY 2003, the NIST budget office advised that because of\nincreased scrutiny of IT expenditures, particularly those related to information security,\nadditional detail would be required to support budget requests. Specifically, each unit\nwas required to designate how much of its total IT spending was for information security,\nwith costs presented in five categories: program planning and management; evaluation\nand testing; technical controls; security awareness, training, and education; and incident\nresponse. Each unit\xe2\x80\x99s information was consolidated into a NIST-wide Exhibit 53.\nHowever, the NIST CIO\xe2\x80\x99s office provided neither guidance nor review of these costs,\nleaving their validity questionable. A capital asset planning process would assist NIST in\nintegrating the IT and budget processes.\n\nIn guidance for IT budgeting for FY 2004, the Department CIO identified NIST\xe2\x80\x99s Grants\nManagement Information System as a major system requiring a capital asset plan,\nreflecting OMB\xe2\x80\x99s increased attention to grants management. The guidance also stated\nthat all new IT investments, as well as modifications and enhancements of existing\nsystems which exceed base funding, must be described in capital asset plans at a level of\n\n9\n Office of Management and Budget. 2001. Circular A-11        Washington, D.C.: Executive Branch Office of\nManagement and Budget.\n10\n   A major IT project requires special management attention because of its (1) importance to an agency\xe2\x80\x99s\nmission; (2) high development, operating, or maintenance costs; (3) high risk; (4) high return; or (5)\nsignificant role in the administration of an agency\xe2\x80\x99s programs, finances, property, or other resources. Major\nIT projects must have the concurrence of the chief information officer.\n11\n   NIST\xe2\x80\x99s IT Policy Council consists of operating directors, the CIO, a technology services senior\nrepresentative, Director for Administration/Chief Financial Officer senior representative, operating unit\ndeputy directors, and a Management Advisory Council representative.\n\n\n                                                     18\n\x0cU.S. Department of Commerce                                 Final Inspection Report OSE-15078\nOffice Of Inspector General                                                    September 2002\n\ndetail commensurate with the size of the investment. The guidance also stated that IT\ninitiatives must be a product of the operating unit\xe2\x80\x99s capital planning and investment\ncontrol process.\n\nWithout a planning and control process developed to deal with IT investments and\ninformation security specifically, NIST cannot ensure that IT projects are appropriately\nselected, planned, and managed; that information security is a factor in each system\xe2\x80\x99s\ndesign and a management consideration throughout its life cycle; or that information\nsecurity cost estimates are valid.\n\nRecommendations\n\nWe recommend that the director of NIST take the necessary action to ensure that a\ndeadline is established for finalizing and implementing an IT capital planning and\ninvestment control process that includes information security with the budget process.\n\nSynopsis of NIST\xe2\x80\x99s Response\n\nThe response stated that a capital investment planning process was begun in FY02 and\nwill be fully implemented in FY03.\n\nVII. \t Proactive Attention from NIST Senior Management Could Improve\n       Information Security\n\nTo safeguard the privacy, confidentiality, and security of federal information, GISRA\nrequires the head of each agency to ensure that the agency\xe2\x80\x99s information security plans\nare carried out throughout the life cycle of each of the agency\xe2\x80\x99s systems. The agency\nhead is also responsible for promoting security as an integral component of that agency\xe2\x80\x99s\nbusiness operations; and agency managers and program officials are required to ensure\nthat effective security policies and procedures are implemented throughout the life cycle\nof every IT system.\n\nAs the discussion in the preceding section indicates, until recently, information security at\nNIST has not received adequate attention, and significant weaknesses exist in planning,\nbudgeting, implementation, review, and oversight. Thus there has been a lack of follow\nthrough in carrying out fundamental responsibilities, including:\n\n       \xe2\x80\xa2\t   establishing comprehensive information security policies and procedures;\n\n       \xe2\x80\xa2\t   identifying, assessing, and understanding risks to NIST\xe2\x80\x99s IT assets;\n\n       \xe2\x80\xa2\t   determining information security needs commensurate with the levels of risk;\n\n       \xe2\x80\xa2\t   planning, implementing, and testing controls that adequately address risk;\n\n       \xe2\x80\xa2\t   continually monitoring and evaluating policy and effectiveness of information\n            security practices;\n\n\n                                             19\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-15078 \n\nOffice Of Inspector General                                                         September 2002\n\n\n\n\n        \xe2\x80\xa2\t   ensuring appropriate personnel security controls are implemented; and\n\n        \xe2\x80\xa2\t   developing a capital planning and investment control process and integrating\n             information security into it.\n\nIn June 2001, to reinforce the Department\xe2\x80\x99s management of IT and its capital investment\nplanning, the Secretary issued a memorandum directing all operating units to appoint a\nCIO who would report to the head of the operating unit or the principal deputy, as well as\nto the Department\xe2\x80\x99s CIO.12 The objective: to have a senior official in each operating unit\nwith the stature, skills, and clout to strengthen IT management. The CIO is to be\nresponsible for advising the operating unit\xe2\x80\x99s senior management on all aspects of IT and\nis to concur in the budgeting and expenditure of funds for IT by the unit. To further\nhighlight the importance of information security as a senior management responsibility,\nthe Secretary of Commerce, in a July 2001 memorandum, directed secretarial officers and\nheads of operating units to give information security high priority and sufficient resources\nand to invest the time necessary to assure information security improvements. The\nmemorandum further directed these officials to work closely with and support their\noperating unit CIOs with respect to information security and to allocate sufficient\nresources at the operating unit level necessary for the protection of Commerce data and\nsystems.\n\nCurrently, however, NIST does not have a CIO; its CIO office resides in ITL and reports\nto ITL\xe2\x80\x99s acting director, who also serves as the acting CIO. We believe that an\nempowered CIO\xe2\x80\x94that is, one that has the support of the NIST director and sufficient\nresources\xe2\x80\x94is essential for improving NIST\xe2\x80\x99s information security program, as well as its\nmanagement of its IT resources in general. As GISRA makes clear, however,\ninformation security is the responsibility not solely of the CIO but of senior management\nacross the organization. Thus, the awareness, support, and proactive involvement of\nNIST\xe2\x80\x99s senior management are vital to establishing the environment and ensuring the\nresources needed to promote an effective information security program.\n\nRecognizing that its IT management needs improvement, NIST is working to define a\nnew CIO organizational structure intended to enhance its authority and provide a more\neffective focus on IT oversight, including information security. Since May, when our\nfieldwork was completed, the director of NIST has taken an important step toward\nimproving IT security at NIST by issuing a memorandum acknowledging his\nresponsibility for the security of NIST\xe2\x80\x99s data and IT systems. This memo also directs all\nmembers of NIST\xe2\x80\x99s upper management to give IT security a high priority and to ensure\nthat NIST policies, procedures, and operational environment are exemplary.13\n\n12\n  Memorandum from Donald Evans to Secretarial Officers and Heads of Operating Units, \xe2\x80\x9cStrengthening\nCommerce Information Technology Management,\xe2\x80\x9d June 13, 2001.\n13\n   Memorandum from Arden L. Bement, Jr., to Senior Management Board, \xe2\x80\x9cResponsibilities for\nInformation Technology (IT) Security,\xe2\x80\x9d June 11, 2002.\n\n\n\n                                                 20\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-15078\nOffice Of Inspector General                                                         September 2002\n\nRecommendations\n\nWe recommend that the director of NIST take the following actions:\n\n1. \t Ensure that information security receives high priority in accordance with the\n     Secretary\xe2\x80\x99s direction.\n\n2. \t Ensure that senior NIST management officials understand and implement their\n     information security responsibilities.\n\n3. \t Define and implement a new CIO organizational structure, appoint a CIO as soon as\n     possible, and ensure that the CIO is provided with the responsibility and authority to\n     develop and maintain a NIST-wide information security program.\n\nOIG Comment\n\nAlthough the response did not address how these recommendations will be implemented,\nthe NIST director recently sent a memorandum to the NIST operating unit directors\ndiscussing the findings and recommendations of our evaluation and emphasizing his\npersonal responsibility as director and their responsibility as program managers for good\ninformation security.14 Significantly, the memorandum states:\n\n        NIST\xe2\x80\x99s highly visible mandate as the provider of cyber-security guidance for\n        Federal Agencies and icon for commercial and industry software providers and\n        users, requires that our own systems meet a \xe2\x80\x9chigher standard\xe2\x80\x9d of excellence. If\n        we are the premier developer of cyber security guidance, we should also be the\n        premier performer in the implementation of that guidance!\n\nThe memorandum further discusses the need to adopt new approaches to information\nsecurity as part of the NIST \xe2\x80\x9clifestyle.\xe2\x80\x9d It concludes by pointing our the importance of\nall employees understanding their responsibilities for information security, the need for\nNIST management to lead and promulgate changes, and the goal of making NIST an\nexemplary agency in securing its IT resources.\n\nThese are significant steps in addressing the first two recommendations. However, the\nthird recommendation regarding the CIO remains to be addressed. We again emphasize\nthe importance of having an empowered CIO to achieve the needed improvements in\ninformation security, in particular, and IT management, in general. We look forward to\nreceiving your approach to implementing this recommendation when you submit your\naction plan.\n\n\n\n\n14\n Memorandum from Arden L. Bement, Jr., Director, for OU Directors, \xe2\x80\x9cNIST IT Security and the\nGovernment Information Security Reform Act (GISRA) Audit,\xe2\x80\x9d September 6, 2002.\n\n\n                                                21\n\x0cU.S. Department of Commerce                                 Final Inspection Report OSE-15078\nOffice Of Inspector General                                                    September 2002\n\nAPPENDIX A\n                Additional Information on Security Roles within NIST\n\nComputer Security Officer \xe2\x80\x93 Appointed by the Information Technology Laboratory\ndirector, with the approval of the NIST Deputy Director, the NIST Computer Security\nOfficer is charged with the following:\n\n       \xe2\x80\xa2\t   Developing computer security policies and procedures for NIST.\n\n       \xe2\x80\xa2\t   Coordinating NIST computer policy, computer security actions, and\n            incident reporting with the Department of Commerce and other outside\n            organizations.\n\n       \xe2\x80\xa2\t   Ensuring periodic training opportunities for NIST staff in the areas of\n            computer security, awareness of problems, and good practices.\n\n       \xe2\x80\xa2\t   Helping with the planning, budgeting, and implementation of\n\n            computer security functions for NIST. \n\n\n       \xe2\x80\xa2\t   Serving as a resource on effective computer security practices \n\n            for NIST management and staff. \n\n\n\nOperating Unit Directors - Appoint the computer security officer responsible for\nthe security of all information resources in the unit and, for units with multiple\nsites, appoint a computer security officer for each site. Unit directors are also\nresponsible for assessing risks of loss of unit information resources and\nimplementing appropriate levels of security for their facilities, software, data, and\ncontracted services.\n\nOU Computer Security Officers - Serve as contact points for all computer\nsecurity related issues for the unit; represent their unit in the development of\nNIST computer security policy; and recommend to the unit director how best to\nimplement the NIST computer security policy within their unit.\n\nDivision Chiefs, Group Leaders, and Project Managers - Ensure that the\ncorrect level of computer security is implemented for each resource, given the\nrisks, and that employees have the necessary awareness and computer security\ntraining.\n\nSystem Administrators - Responsible for the computer security program and\nprocedures for systems under their control.\n\nAll authorized users (employees and collaborators) - Responsible for complying with\npolicies and procedures on the use of information resources and for reporting to the\nappropriate unit computer security officer and the NIST computer security officer any\nsuspected breach of security.\n\n\n                                             22\n\x0c\x0c\x0c\x0c\x0c"